Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
5551
Views
25
Helpful
1
Comments

ISE pxGrid General Information & FAQ

Jason Kunst
Cisco Employee
Cisco Employee

‎10-27-2020 01:04 PM - edited ‎09-15-2022 12:46 PM

Shortcut: http://cs.co/pxgrid-faq

This is a general site for all thing pxGrid. Resources, demos, FAQs. 

 

General info

What's new

pxGrid Cloud 

June 2022

pxGrid 1.0 support

pxGrid 1.0 is not supported after ISE 3.0. Its recommended for all vendors, app builders, etc to move to pxGrid 2.0 that has been available in ISE 2.4+ for many years now.

 

  • pxGrid 1.0 available since ISE 1.3 
  • pxGrid 2.0 since ISE 2.4
  • ISE 2.4+ supports both pxGrid 1.0 and 2.0
  • ISE 3.1+ only supports pxGrid 2.0

General links

 

ISE pxGrid Vendor Integration notes - general information for the client vendor to integrate

ISE pxGrid API help by viktor brobov, Cisco

ISE pxGrid Cloud - since ISE 3.1 patch 3

Devnet

pxGrid how to guide - see cs.co/ise-guides 

Demos

Listed at cs.co/selling-ise-demos- Cisco/Partners only

 

Setup information

pxGrid Context-In

There are issues utilizing the pubsub web socket models of pxGrid around profiling and updating of endpoint custom attributes. We are working in ISE 3.1p5 (late this year) to have a bulk create using Open API. patch 6 will add update/delete and download capabilities (early 2023)

Sharing SGT SXP Binding information via pxGrid

In general subscribing to the session directory will give you the dynamic ip to tag bindings of user and iOT endpoints over wired, wireless and VPN. What it won't provide is the static mappings added under Work Centers > Trustsec > Components > IP SGT Static Mapping


Github sxp.binding and Session Directory

 

Here is coding on how to integrate the two

https://developer.cisco.com/codeexchange/github/repo/cisco-pxgrid/python-advanced-examples

 

static.png

 

In order to share this and subscribe, the pxGrid client will need to subscribe to sxp.bindings 

 

The following 2 check boxes under SXP settings need to be enabled

 

image002.png

 

You will see a subscription to the session directly and the sxp.binding for your test client

Picture1.png

 

Enable a dummy SXP device

work centers -> Trustsec -> sxp -> sxp devices

Screen Shot 2021-07-29 at 3.00.36 PM.png

Troubleshooting
 
In the pxgrid-server.log you should see the adding the subscription if they are subscribing to correct topic. cpm.pxgridwebapp.ws.pubsub.SubscriptionThreadedDistributor -:::::- adding subscription to [2bae,testcli,OPEN]:/topic/com.cisco.ise.sxp.binding
 
Try adding removing an SXP binding and then checking the logs.

 

FAQ 

What are scaling considerings?

pxGrid v2 (WebSocket) does not use much CPU as it is simply forwarding the published messages to subscribers.  On the other hand, pxGrid v1 (XMPP) uses a bit more CPU in XML processing. Every subscriber adds XML processing. 

 

The bottom line is that if the subscribers are mainly pxGrid v2, then it can run on any node.

If subscribers are still pxGrid v1, then we may need to consider decidated node.

Can you have a single account for consumer and provider (for both pushing and pulling devices information)?

  Yes. Single account can be both consumer and provider

 

Does using the pxGrid API expose us to the same functionality that we can use in ISE ERS, and vice versa? Is it possible to subscribe to a topic via ERS, without pxGrid?

ERS and pxGrid APIs are different sets of APIs. Most APIs functionality do not overlap.ISE ERS is used for CRUD operations against ISE (example manipulating objects) for your purposes pxGrid should always be used  No. Subscription is a pubsub concept that is provided only via pxGrid WebSocket connection

We are working towards enabling Open API in ISE 3.1 patches 5 (bulk create) and patch 6 (bulk update/delete/download)

Is the best way to push device information through Endpoint Asset service as a pxGrid provider?

 Endpoint Asset service is being consumed by Profiler feature. Yes, an external client can act as a Endpoint Asset provider. Initial load should be through pxGrid context-in and updates through ERS API with current design

Is it possible to connect through pxGrid without a certificate (user/pass only)? 

It is allowed but not recommended, certs are more secure.

In my setup I see pending approvals under Web clients but also All Client?

In pxGrid 1.0, we have “Dynamic capabilities”. Those have to be approved too. So the difference is one for client approval and the other for capabilities approval. For example you might have had pxGrid 2.0 clients automatically approved but a pxGrid 1.0 client need manual approval for is capabilities.

All Clients shows every connection. Web Clients is for Web Sockets (pxGrid 2.0 support). In ISE 3.0+ You will see separation and ISE 3.1 pxGrid 1.0 will be completely removed

 

Under WebSockets I see the client as offline, what does this mean?

This means the client is connected but nothing has been communicated in a while. After 5 minutes of no activity a client will change from Active to Offline

 

Where to find the debug logs?

Troubleshoot and Enable Debugs on ISE

The support bundle can be found under Operations > Troubleshoot > Download Logs > [select the node on which the issue was reproduced/seen].

How can i tell if a node is supporting pxGrid 1.0 vs 2.0?

curl -k -v https://<hostname>:8910/pxgrid/control/version
  • ISE 2.4+ supporting pxGrid 2.0 should give http status ok back
  • ISE <2.4 ISE will give you 401

 

pxGrid 2.0 Active/Active and node redundancy, load balancing

From a client standpoint, active/active means it can connect to any of the available ISE pxGrid nodes.

 

pxGrid 2.0 supports more than 2 ISE nodes. It can support as many as ISE nodes there are. The recommendation would be to have 2 at minimum but possible a 3rd (tertiary as well).

 

The purpose of this is to distribute the subscribers in order to distribute network load. So your app would connect to 1 node but have backups if those were offline or failed. 

 

This is the pubsub service the each pxGrid node provide:   https://github.com/cisco-pxgrid/pxgrid-rest-ws/wiki/Pubsub

when looking up this service, a list of available nodes will be returned.

https://github.com/cisco-pxgrid/pxgrid-rest-ws/wiki/Session-Directory#multiple-nodes-use-one

 

You would connect to 1 node but still allow the admin to enter up to 4 nodes for redundancy

  

What is needed for communication from pxGrid client to ISE pxGrid controller?

when generating a pxGrid client cert on ISE (under pxGrid) it will give a client cert (use FQDN and IP address in SAN). The package also included the full certificate chain. The client box will present its certificate to ISE which trusts it (without the chain). The client will need to have the certificate chain, node, sub and root given in the zip or pkcs12 file

What's the guidance on using REST API vs pxGrid to do ANC?

Recommendation is to use pxGrid ANC for scaling purposes. We are also trying not to use ERS API because each endpoint update generates a call.

 

There are currently many ways to configure ANC. UI, ERS API, pxGrid v1 API (XMPP being deprecated in ISE 3.1) and pxGrid v2 API (REST)

ANC requires session lookup that is only available in MnT nodes.

 

Here are where things happen:

  • UI and ERS API are handled on PPAN
  • ANC pxGrid code in MnT nodes registers the ANC capability (for XMPP) and ANC service (for REST/WS)
  • pxGrid XMPP API is routed by XMPP server to MnT nodes.
  • pxGrid REST API is handled on both MnT nodes. Clients do service lookup for ANC service to find the URLs.
  • Session lookup is remote calls to MnTs (call one MnT. If fails, call the other MnT)
  • Radius Disconnect handled by NA’s PrRT module on local ISE and being routed to the corresponding PSN
  • State is stored to PPAN and replicated to other ISE

Thus, configuration on partners will be:

  • For ERS API, the IP of PPAN
  • For pxGrid API, the IPs of pxGrid nodes

My pxGrid Client was working before but its not after I am using a new cert?

When you setup a pxGrid client and it associates with a client cert it is then bonded. If you create a new cert you will need to delete the pxGrid client session on ISE and create a new one (through the vendor client connection screen and cert negotiation) with the new certificate

You would see an error msg like the one below in pxgrid-server.log

2021-11-19 06:59:25,038 WARN [Thread-56004][] cisco.cpm.pxgridwebapp.config.MyX509Filter -:::::- Mismatched X509 fingerprint user=test123 dn=CN=test123 fingerprint=WePVk1Fv0JDlSQaNGKCVPp92Iww= stored_fingerprintZBvXQNLZX8GX9BpaG4Io6SY5qz0= request_source=[IP Address: 10.21.127.40, port: 57537, hostname: 10.21.127.40] request_dest=[IP Address: 172.23.166.161, port: 8910, hostname: pxgrid-161]

 

Does pxGrid support IPv6?

It supports the endpoint and network devices with IPv6 addresses. Currently it doesn't support integrations via IPv6

 

What are current bugs/enhancements?

 

CSCwb87184 - ENH: Distinguish username from Machine name in PGRID

Comments
MSJ1
Level 1
Level 1
‎10-11-2022 08:54 AM

@Jason Kunst 

My FMC version is 7+ , how should i be able to confirm it will support pxgrid 2.0 when I move my ISE to 3.1 ?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents